b'                  U.S. Department of Energy\n                  Office of Inspector General\n                  Office of Audits and Inspections\n\n\n\n\nEVALUATION REPORT\nThe Department of Energy\'s Unclassified\nCybersecurity Program \xe2\x80\x93 2014\n\n\n\n\n DOE/IG-0925                         October 2014\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n\n                                        October 22, 2014\n\n\nMEMORANDUM FOR THE SECRETARY\n\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Evaluation Report on "The Department of Energy\'s\n                         Unclassified Cybersecurity Program \xe2\x80\x93 2014"\n\nBACKGROUND\n\nThe use of information technology by Federal entities is evolving rapidly, leading to\nadvancements in areas such as virtualization technologies, cloud computing, and mobile devices\nthat offer opportunities to increase the value and accessibility of Government resources and\ninformation. However, this progression also exposes Federal information and systems to new\nand constantly changing threats. In its Fiscal Year (FY) 2013 report to Congress, the Office of\nManagement and Budget reported that the volume and sophistication of attacks against Federal\nresources continued to grow, increasing by approximately 26 percent over those reported in\nFY 2012. As such, it is important that the Federal government, to include the Department of\nEnergy, reduce its information security risks to a level commensurate with the criticality of its\nsystems and the sensitivity of the information within them.\n\nThe Federal Information Security Management Act of 2002 (FISMA) established the\nrequirement for Federal agencies to develop, implement, and manage agency-wide information\nsecurity programs. In addition, Federal agencies are required to provide acceptable levels of\nsecurity for the information and systems that support their operations and assets. Further,\nFISMA mandated that agency Offices of Inspector General conduct annual independent\nevaluations to determine whether agencies\' unclassified cybersecurity programs adequately\nprotected unclassified data and information systems. This report documents the results of our\nevaluation for the Department for FY 2014.\n\nRESULTS OF EVALUATION\n\nDuring FY 2014, the Department, including the National Nuclear Security Administration, had\ntaken positive actions to improve the security and awareness of the unclassified cybersecurity\nprogram. While the Department continued to make progress in correcting deficiencies identified\nin prior years, additional effort is needed to ensure that the risks of operating systems are\nidentified and that systems and information are adequately secured. In particular:\n\x0c   \xe2\x80\xa2   Even though contractor resources accounted for a majority of the Department\'s more than\n       500 systems, it still had not reported performance metric data for all contractor systems.\n       In response to our prior year\'s evaluation, management indicated its intent to fully report\n       metrics for all contractor systems. However, we found that a significant percentage of\n       the metric information reported to the Department of Homeland Security as part of\n       annual FISMA reporting requirements excluded contractor systems.\n\n   \xe2\x80\xa2   We discovered network systems and workstations at 13 locations with patch management\n       weaknesses of varying degrees of criticality. Specifically, critical and high-risk\n       vulnerabilities were identified on many of the systems and networks tested.\n\n   \xe2\x80\xa2   Our testing also revealed that six locations had weaknesses related to system integrity of\n       Web applications. In these instances, Web applications\xe2\x80\x94including business, human\n       resources, and general support applications\xe2\x80\x94did not properly validate input data,\n       increasing the risk of malicious attacks that could result in unauthorized access to the\n       application and sensitive data stored within them.\n\n   \xe2\x80\xa2   At eight locations, issues related to weaknesses in logical access controls were identified\n       that could allow an attacker to gain access to sensitive data or disrupt network\n       connectivity to systems, applications, and devices.\n\n   \xe2\x80\xa2   Weaknesses related to the configuration management process, including inadequate\n       support for testing and approving changes, existed at four locations. Configuration\n       management involves the identification and management of security features for all\n       components of an information system at a given point and systematically controls\n       changes to that configuration during the system\'s life cycle.\n\n   \xe2\x80\xa2   At three locations, the overall security management program contained various\n       deficiencies related to cybersecurity training, audit logging and monitoring, system\n       inventories, incident reporting, and contingency planning.\n\nThe issues identified occurred, at least in part, because the Department\'s programs and sites\nreviewed had not ensured that cybersecurity policies and procedures were developed and\nproperly implemented. For example, numerous locations had not implemented processes that\ncould have prevented many of the weaknesses identified during our testing. In addition, as noted\nin our prior evaluation report, the Department\'s performance monitoring and risk management\nprograms were not completely effective.\n\nWithout improvements, the Department\'s unclassified cybersecurity program will continue to\noperate at a higher-than-necessary level of risk. In addition, the weaknesses identified in this\nreport should be thoroughly considered as the Department transitions its cybersecurity program\nfrom the traditional compliance-based process to one that supports the National Institute of\nStandards and Technology\'s Risk Management Framework and continuous system\nauthorizations. Continued deficiencies in the areas outlined in this report could adversely affect\nthe Department\'s ability to gain or retain assurance that its systems and data are operated and\nmaintained within acceptable levels of risk.\n\n                                                 2\n\x0cDue to the sensitive nature of the vulnerabilities identified during our evaluation, specific\ninformation and site locations have been omitted from this report. Site and program officials have\nbeen provided with detailed information regarding vulnerabilities that were identified at their sites\nand, in many cases, initiated corrective actions to address the identified deficiencies.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and indicated that corrective actions\nhad been initiated or were planned to address the issues identified in the report. Management\'s\ncomments and our responses are summarized in the body of the report. Management\'s formal\ncomments are included in their entirety in Appendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Under Secretary for Nuclear Security\n    Deputy Under Secretary for Science and Energy\n    Deputy Under Secretary for Management and Performance\n    Chief of Staff\n    Acting Chief Information Officer\n    Acting Chief Financial Officer\n\n\n\n\n                                                 3\n\x0cEVALUATION REPORT ON THE DEPARTMENT OF\nENERGY\'S UNCLASSIFIED CYBERSECURITY PROGRAM \xe2\x80\x93\n2014\n\n\nTABLE OF CONTENTS\n\nEvaluation Report\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations ............................................................................................................................9\n\nManagement Response and Auditor Comments ............................................................................10\n\nAppendices\n\n     1. Objective, Scope and Methodology ...................................................................................11\n\n     2. Related Reports ..................................................................................................................13\n\n     3. Management Comments ....................................................................................................17\n\x0cTHE DEPARTMENT OF ENERGY\'S UNCLASSIFIED\nCYBERSECURITY PROGRAM \xe2\x80\x93 2014\n\nDETAILS OF FINDING\nThe Federal Information Security Management Act of 2002 (FISMA) mandated that agency\nOffices of Inspector General conduct annual independent evaluations to determine whether\nunclassified cybersecurity programs adequately protected data and information systems. During\nFiscal Year (FY) 2014, we reviewed the unclassified cybersecurity programs at 24 Department\nof Energy (Department) locations, including Headquarters. The scope of our fieldwork activities\nincluded validating corrective actions taken to remediate prior year weaknesses, reviewing\ninformation technology controls over networks and applications, and conducting technical\nvulnerability scanning both within and external to the networks.\n\nActions taken to improve the Department\'s unclassified cybersecurity program since our prior\nevaluation resulted in the closure of 25 of the 39 deficiencies reported in our FY 2013 review.\nHowever, test work performed in conjunction with the current year\'s review continued to identify\nweaknesses in the same areas reported in past years. Specifically, our review of the\nDepartment\'s Under Secretary for Nuclear Security, Under Secretary for Science and Energy,\nand Under Secretary for Management and Performance organizations found that additional effort\nis needed to ensure that systems and information are adequately secured, and the risks of\noperating systems are known. Based on the results of our FY 2014 evaluation, we identified\nvulnerabilities at many of the 24 locations reviewed, including 11 new and 14 unresolved\nweaknesses from prior years\' reviews.\n\nProgram Improvements\n\nDuring FY 2014, the Department, including the National Nuclear Security Administration\n(NNSA), had taken several positive actions to improve the security and awareness of its\nunclassified cybersecurity program. In particular:\n\n   \xe2\x80\xa2   In July 2014, the Department\'s Cyber Council formalized and approved its Information\n       Management Governance Framework. The overall goals of the framework are to support\n       mission enhancement, operational excellence and risk management across the\n       Department. It is intended to ensure that policy decisions are appropriate, foster open and\n       honest communication, and support collaborative oversight of information management\n       to achieve transparency and accountability.\n\n   \xe2\x80\xa2   NNSA continued to enhance its Enterprise Continuous Monitoring Program. When fully\n       implemented, this automated solution is expected to enable the transformation of the\n       static compliance-based risk determination process into a dynamic process, thus\n       facilitating near real-time situational awareness and appropriate cost-effective risk-based\n       decisions. As of August 2014, NNSA reported that all of its sites, including\n       Headquarters, had successfully established and were operating internal data feeds\n       supporting information related to systems, FISMA compliance and plan of action and\n       milestone progress.\n\n\n\n\nDetails of Finding                                                                        Page 1\n\x0c   \xe2\x80\xa2   The Office of Environmental Management continued to implement its Mission\n       Information Protection Program, which provided enterprise capabilities to 15 sites\n       through its Continuous Monitoring Center. Program capabilities included firewalls,\n       capture of network traffic, intrusion detection, malware reverse engineering, vulnerability\n       scanning, log management, patching of third-party products and other custom solutions\n       that provided additional insight into the Office of Environmental Management\'s\n       cybersecurity posture.\n\n   \xe2\x80\xa2   The Office of the Chief Information Officer reported various cybersecurity improvements\n       that resulted in significant risk reduction to the operating environment it manages. As of\n       July 2014, officials reported that the organization had implemented configuration\n       enhancements to its architecture and operating environment, deployed a virtual desktop\n       infrastructure service, reduced the number of critical systems with Internet access, added\n       risk mitigation capabilities to its servers and gateway, and improved vulnerability and\n       patch management processes and procedures.\n\nAlthough these actions should help improve enterprise-level awareness and management of the\nDepartment\'s unclassified cybersecurity program, our current evaluation identified weaknesses\nthat, if left uncorrected, could adversely affect the Department\'s ability to identify, assess, and\nmitigate new and existing threats and risks to its systems and data.\n\nUnclassified Cybersecurity Program Implementation\n\nThe FY 2014 evaluation identified an ongoing area of concern related to the completeness of\ncybersecurity performance metrics reported to the Department of Homeland Security (DHS) for\nanalysis and consideration in the Office of Management and Budget\'s annual FISMA report to\nCongress. In addition, our current evaluation identified weaknesses in security patch\nmanagement, system integrity of Web applications, access control, configuration management,\nand security management. Taking into consideration the Department\'s risk-based approach to\ncybersecurity, the weaknesses noted in our report generally had not been identified and/or the\nrisk posed by the weaknesses accepted by management prior to our testing.\n\n                                       Security Reporting\n\nContrary to management comments on our prior year\'s evaluation, the Department still had not\nreported performance metric data for all contractor systems. Performance metrics related to 11\ncybersecurity areas are to be reported to DHS and the Office of Management and Budget under\nthe requirements of FISMA. The failure to report contractor system information was first\nidentified in our evaluation report on The Department of Energy\'s Unclassified Cyber Security\nProgram \xe2\x80\x93 2013 (IG-0897, October 2013). In response, management stated that performance\nmetrics would be reported for both Federal and contractor resources. However, our review of the\nFY 2013 annual report submitted to DHS found that 60 of 97 metrics requested had been\ncompleted for Federal systems only, even though contractor resources accounted for 359 of the\nDepartment\'s 511 (70 percent) reported systems. As a result, the Department did not provide\ncomplete information related to its cybersecurity program in all or a portion of eight reporting\nareas, including configuration management, vulnerability and weakness management, identity\nand access management, boundary protection, and remote access. In addition, representatives\n\nDetails of Finding                                                                           Page 2\n\x0cfrom a number of locations indicated that information related to the Administration Priority\ntopics (continuous monitoring, identity management, and boundary protection) was either not\napplicable or had not been requested by the cognizant Headquarters element. As such, progress\ntowards implementing important initiatives such as Homeland Security Presidential\nDirective 12, could not be effectively measured.\n\nOur review of the Department\'s data call for the FY 2014 annual FISMA report to DHS found\nthat contractor results still had not been requested for metrics related to data protection and\nincident management, and only partial results had been requested for metrics related to asset\nmanagement, identity and access management, remote access, and boundary protection. While\nthe Department\'s Memorandum of Understanding with DHS allowed for documented, mutually\nacceptable alternative methodologies, such action had not been taken to modify the Department\'s\nreporting requirements.\n\n                                     Patch Management\n\nThe Department continued to make improvements to its patch management program, resulting in\nthe closure of four prior-year deficiencies in this area. However, our testing of a limited number\nof network segments, general business and related systems, and workstations at 13 locations\nidentified weaknesses of varying degrees of criticality. Specifically, critical and/or high-risk\nvulnerabilities were identified on many of the systems and networks tested. For instance:\n\n   \xe2\x80\xa2   One location was running operating system and/or client applications without current\n       security patches for known vulnerabilities that had been released more than 90 days prior\n       for 235 of 270 (87 percent) workstations tested. Missing patches included those for\n       productivity, mobile device management and remote access applications, databases,\n       development environments, media players, and Web browser add-ons. Similarly, another\n       location had not completed corrective action to correct the weaknesses identified during\n       our prior year\'s evaluation.\n\n   \xe2\x80\xa2   Network systems at three locations were running operating system and/or application\n       software without current security patches for known vulnerabilities that had been released\n       more than 30 days prior to testing. Similar issues had been noted at two of these\n       locations for at least 4 years. Overall, we identified 180 instances of outdated or missing\n       patches on these systems.\n\n   \xe2\x80\xa2   Two locations were running operating systems or applications that were no longer\n       supported by the vendor on 16 servers\xe2\x80\x942 of which had not been supported since 2010.\n       In addition, two systems at one location were using an application for which vendor\n       support had ended in late 2013. In this case, management indicated that the upgrade to a\n       supported application was planned to be completed in late 2014. However, until such\n       action is completed, the risk to the systems and information remains higher than\n       necessary. This issue is similar to weaknesses identified in our Special Report on The\n       Department of Energy\'s July 2013 Cyber Security Breach (DOE/IG-0900, December\n       2013).\n\n\n\n\nDetails of Finding                                                                        Page 3\n\x0cAlthough officials at the reviewed locations noted that certain controls to mitigate the risks\nassociated with these security weaknesses had been implemented, an attacker may have been\nable to successfully execute attacks against the vulnerable servers, applications, and workstations\nby using publicly available exploits as well as custom attacks with no known signatures.\nExploitation by unauthorized or malicious individuals could lead to disruption of sensitive data\nor systems, as well as theft or improper disclosure of confidential business information. Notably,\nthe Department\'s Office of Enterprise Assessments reported similar issues at four locations in\nFY 2014.\n\n                           System Integrity of Web Applications\n\nWe identified numerous weaknesses at six locations related to system integrity of Web\napplications. In these instances, Web applications\xe2\x80\x94including business, human resources, and\ngeneral support applications\xe2\x80\x94did not properly validate input data, increasing the risk of\nmalicious attacks that could result in unauthorized access to the application and sensitive data\nstored within them. Specifically:\n\n   \xe2\x80\xa2   Twelve applications at six locations accepted malicious input data that could be used to\n       launch attacks to gain unauthorized access to the application. Such attacks, known as\n       cross-site scripting, could allow an attacker to compromise legitimate users\' workstation\n       and application logon credentials. One of the 10 applications also did not validate input\n       data and allowed the data to be used in improperly designed queries, thereby making the\n       application vulnerable to attacks against the application\'s database server. This type of\n       attack could result in the loss or modification of information stored within the database.\n\n   \xe2\x80\xa2   Another application used to support financial processing did not properly validate access\n       privileges associated with end-user requests. We found that the application could accept\n       requests regardless of the role the requesting user had been assigned and could have\n       allowed unauthorized access to the system\'s information.\n\n   \xe2\x80\xa2   One access control application stored user authentication information in an unsecured\n       manner on the system, making the information accessible to any Web server on the same\n       network. Web applications that do not properly protect the confidentiality of user\n       authentication tokens are at increased risk of unauthorized access to the application and\n       sensitive data stored within the system.\n\n   \xe2\x80\xa2   One location had corrected specific issues identified in prior years. However, its\n       corrective action plan to implement Web access management and user identity\n       administration functionality and develop a risk-based approach for managing its Web\n       applications had not been completed.\n\nWeb application attacks could have negative impacts on the security of the information systems,\nas well as application and data reliability. The Office of Enterprise Assessments noted similar\nissues at five locations it reported on in FY 2014.\n\n\n\n\nDetails of Finding                                                                         Page 4\n\x0c                                       Access Control\n\nAlthough the Department had taken steps to correct several of the access control-related\nweaknesses identified in our prior year\'s review, several locations continued to experience\nproblems in this area. Strong access controls provide assurance that access to information\ntechnology resources is reasonable and restricted to authorized individuals. Our review found:\n\n   \xe2\x80\xa2   Eight locations had not performed a periodic review of system accounts and/or\n       disabled or removed system accounts in a timely manner. For instance, two locations\n       had not completed actions to correct issues identified during our previous evaluation.\n       Another location conducted a management review of user accounts to identify and\n       remove those that were associated with terminated employees. However, the review\n       was performed using an outdated database and, as a result, officials still had not\n       disabled or removed terminated users\' access in a timely manner. Although required\n       by site-level procedures, a fourth location had not deactivated seven user accounts in a\n       timely manner upon termination, including three that were not set to expire after\n       60 days of inactivity.\n\n   \xe2\x80\xa2   Three locations had not securely configured network servers, devices and/or workstations\n       to protect against unauthorized access. We identified 41 servers, 14 workstations and 2\n       network devices that were configured with default or easily guessed passwords. In\n       addition, two file shares, five servers and one network device at two of the locations were\n       configured to allow connections from any other system without the use of authentication\n       or other access controls. Further, numerous systems at one location were affected by an\n       authentication bypass vulnerability that could allow an individual to logon as an\n       administrator without a password.\n\nDatabases with default or weak login credentials are at increased risk of unauthorized access,\nwhich could allow an attacker to gain access to sensitive data. Unauthorized access to network\ndevices could result in a disruption of network connectivity to those devices or even\nunauthorized access to other key systems, applications and devices. The Office of Enterprise\nAssessments also identified similar weaknesses at five locations in FY 2014.\n\n                               Configuration Management\n\nOur evaluation identified weaknesses related to the configuration management process at four\nlocations. Configuration management involves the identification and management of security\nfeatures for all components of an information system at a given point and systematically controls\nchanges to that configuration during the system\'s life cycle. At one location, although\nmodifications to the property management application were tracked, our review of a sample of\nchanges found that change requests did not contain sufficient details to determine whether the\nchanges had been authorized, tested and approved prior to implementation.\n\nIn addition, changes made to applications at three locations had been performed by developers\nwithout appropriate segregation of duties, including providing developers with administrator\naccess to the application\'s production environment even though such privilege was not needed to\nperform their job functions. At another location, we found that previously identified weaknesses\n\n\nDetails of Finding                                                                        Page 5\n\x0crelated to the application change control process still had not been fully remediated. In several\ninstances, management indicated that mitigating controls were in place, and the risk of the\nidentified weaknesses had been accepted.\n\n                                    Security Management\n\nOur evaluation identified several weaknesses at one location related to the site\'s overall\nsecurity management program. In particular, site officials had not ensured that personnel with\ninformation security responsibilities had received specialized, role-based training, system access\nand activity was not logged and monitored, and servers and the information supporting the\nlogging and security functions were not always protected from unauthorized access, modification\nand/or deletion. In addition, the site had not developed a complete inventory of information\nsystem assets, and all lost/stolen equipment was not appropriately reported to the Department\'s\nJoint Cybersecurity Coordination Center. Although these weaknesses had been discovered\nduring our prior year\'s evaluation, the site had not completed corrective actions in these areas.\nManagement indicated that remediation was expected to be completed in FY 2015.\n\nThe evaluation also identified opportunities for improvement related to contingency planning at\ntwo locations. One location had not reviewed and updated its Continuity of Operations and\nInformation Technology Disaster Recovery Plans in almost 3 years, despite the requirements to\ndo so at least annually. In addition, although one site was preparing its Business Impact Analysis\nat the time of our testing, the document had not been completed. The Office of Enterprise\nAssessments identified similar issues related to training, incident response, contingency planning\nand/or audit logging processes within the unclassified cybersecurity programs at all locations\nreported on during FY 2014.\n\nManagement of the Unclassified Cybersecurity Program\n\nThe issues identified occurred, at least in part, because the Department\'s elements had not\nensured that cybersecurity policies and procedures were developed and implemented. In\naddition, as noted in our prior evaluation report, the Department continued to encounter\nweaknesses related to effective performance monitoring and risk management programs.\n\n                                   Policies and Procedures\n\nThe Department\'s programs had not always established or updated cybersecurity policies in a\ntimely manner to ensure that site systems were not exposed to a higher than necessary level of\nrisk. In particular, despite noting that it would be updated at least every 2 years, the Office of\nScience had not updated its Program Cybersecurity Plan since June 2010. This policy is meant\nto provide a foundation for ensuring the confidentiality, integrity and availability of information\nand systems at the National Laboratories managed by the Office of Science. However, a review\nof the current plan noted that, in at least one instance, it required the use of an outdated version\nof cybersecurity requirements promulgated by the National Institute for Standards and\nTechnology. Officials within the Office of Science indicated that the plan was expected to be at\nleast partially updated by December 2014.\n\n\n\n\nDetails of Finding                                                                           Page 6\n\x0cIn addition, several issues identified during the FY 2014 evaluation occurred because sites had\nnot documented processes and procedures to ensure that unclassified cybersecurity programs\nadequately protected the sites\' unclassified systems and information. Specifically, two locations\nhad not fully established procedures to ensure security vulnerabilities were identified, monitored\nand remediated in a timely manner, including weaknesses related to default and easily guessed\npasswords. In addition, four locations had not developed processes to validate input information\nand/or identify, monitor and remediate vulnerabilities in Web-facing applications, and one\nlocation had not developed procedures to establish auditable events and audit record retention\nperiods.\n\nAlthough processes and procedures at certain locations had been documented, they were not\nalways fully implemented. In one case, we found that system security officials were unaware of\nthe process requirements. In addition, while processes had been developed and implemented at\nthree locations, the processes did not always work as expected. For example, one site had\nimplemented a system to block vulnerable hosts from connecting to the network; however,\ncoding errors within the system prevented it from initiating blocks in some cases. At another\nlocation, system changes had not been fully tested to ensure that they had not negatively affected\nthe system\'s functionality.\n\n                     Performance Monitoring and Risk Management\n\nSince our prior review, the Department had made limited progress in improving its corrective\naction tracking process. Specifically, the use of plans of action and milestones is required to\nidentify and measure progress toward remediating known cybersecurity weaknesses. When used\nproperly, the process can be an invaluable monitoring tool for management to identify, prioritize\nand track remediation activities for known cybersecurity weaknesses. However, we identified\nconcerns that hampered management\'s ability to use the tool as envisioned. In particular:\n\n   \xe2\x80\xa2   Although all programs submitted plans of action and milestones to the Department\'s\n       Office of the Chief Information Officer, they were not always complete and, as such, did\n       not provide a complete inventory of known weaknesses. We found that 22 of 39\n       weaknesses identified during our FY 2013 evaluation were not tracked in the plans of\n       action and milestones submitted to the Department. As noted in our prior reports, failure\n       to track and report known weaknesses deprives senior Department management of\n       needed visibility into critical weaknesses in the unclassified cybersecurity program.\n\n   \xe2\x80\xa2   Similar to our FY 2013 evaluation, we noted that the percentage of overdue milestones\n       continued to increase. We found that 699 of 1,072 (65 percent) open milestones were\n       past the scheduled completion date\xe2\x80\x94a significant increase from the 51 percent reported\n       in the prior year. Of those, almost half had exceeded their expected completion date by\n       more than a year. While it is not expected that all corrective actions would be completed\n       as scheduled, the increase in the number of missed milestones concerns us.\n\n   \xe2\x80\xa2   Our analysis determined that 266 of the Department\'s 638 (42 percent) open weaknesses\n       had been assigned a remediation cost of 1 dollar. The required resources are an\n\n\n\n\nDetails of Finding                                                                        Page 7\n\x0c         important element used by management in prioritizing and budgeting for corrective\n         actions. Interestingly, weaknesses assigned to the Office of the Chief Information Officer\n         accounted for more than half of these items.\n\n    \xe2\x80\xa2    In many cases, the Department\'s plans of action and milestones did not provide\n         information at a level of granularity that would allow management to monitor and track\n         progress made toward remediating weaknesses. Specifically, approximately two-thirds\n         of open weaknesses only had one associated milestone.\n\nSeveral locations had not implemented risk management programs that allowed the Authorizing\nOfficial 1 to fully consider all risks when accepting the risk of system operation. For example, at\ntwo locations, the risk management process did not include documentation and acceptance of\nrisks related to operating Web applications. Another location had not fully implemented its risk\nmanagement program to include an accurate system inventory, which could increase the risk of\nimplementing inadequate security controls on systems.\n\nRisk to Information and Systems\n\nWithout improvements, the Department\'s unclassified cybersecurity program will continue to\noperate at a higher-than-necessary level of risk. Deficiencies in developing, updating and\nimplementing guidance and processes have adversely affected the Department\'s ability to\nproperly secure its systems and the information stored within them. In addition, the\nweaknesses identified throughout this report may increase the risk of unauthorized disclosure\nof sensitive information in mission-based and financial systems and, as such, should continue\nto be addressed by management. Further, ineffective tracking of known cybersecurity\nweaknesses could result in understating a system\'s residual risk\xe2\x80\x94that risk remaining after\nmitigation of known weaknesses\xe2\x80\x94resulting in the Authorizing Official assuming\nresponsibility for the system without having full awareness of its vulnerabilities.\n\nThe weaknesses identified in this report should be thoroughly considered as the Department\ntransitions its cybersecurity program from the traditional compliance-based certification and\naccreditation process to one that supports the National Institute of Standards and Technology\'s\nRisk Management Framework and ongoing system authorizations. Without improvements in\nthe areas listed within this report, the Department\'s ability to gain or retain assurance that its\nsystems and data are operated and maintained within tolerable levels of risk could be adversely\naffected.\n\n\n\n\n1\n  An Authorizing Official is a senior Federal official or executive with the authority to formally assume\nresponsibility for operating an information system at an acceptable level of risk.\n\n\n\nDetails of Finding                                                                                          Page 8\n\x0cRECOMMENDATIONS\nTo improve the Department\'s unclassified cybersecurity program and to correct the weaknesses\nidentified in this report, we recommend that the Under Secretary for Nuclear Security, Under\nSecretary for Science and Energy and Under Secretary for Management and Performance, in\ncoordination with the Department\'s and National Nuclear Security Administration\'s Chief\nInformation Officers, direct Federal and contractor programs and sites to:\n\n   1. Correct, through the implementation of appropriate controls, the weaknesses identified\n      within this report;\n\n   2. Develop and implement policies and procedures, as needed, in accordance with Federal\n      and Department requirements to ensure that systems and information are and remain\n      adequately secured;\n\n   3. Fully develop and utilize plans of action and milestones to improve its performance\n      monitoring program by identifying, prioritizing and tracking the progress of remediation\n      actions for all identified cybersecurity weaknesses; and\n\n   4. Include complete information for both Federal- and contractor-managed cybersecurity\n      programs when reporting the status of performance metrics annually to DHS.\n\n\n\n\nRecommendations                                                                        Page 9\n\x0cMANAGEMENT RESPONSE\nManagement concurred with each of the report\'s recommendations and indicated that corrective\nactions had been initiated or were planned to address the identified issues. For instance,\nmanagement stated that the specific weaknesses identified in our report would be included in the\nDepartment\'s plan of action and milestones. In addition, management stated that it would\nenhance its capabilities to assess the plans of action and milestones for completeness and\naccuracy and initiate processes to validate information. Management also commented that it\nwould continue to work to identify an effective means to capture cybersecurity metric data and\nensure that a strategy is implemented to collect more accurate data in the various FISMA metric\nareas, particularly those related to the Administration\'s priorities.\n\nAUDITOR COMMENTS\nManagement\'s comments and planned corrective actions were responsive to our recommendations.\nManagement\'s comments are included in Appendix 3.\n\n\n\n\nManagement Response and Auditor Comments                                               Page 10\n\x0c                                                                            APPENDIX 1\n\n                  OBJECTIVE, SCOPE AND METHODOLOGY\nObjective\n\nTo determine whether the Department of Energy\'s (Department) unclassified cybersecurity\nprogram adequately protected its data and information systems.\n\nScope\n\nWe conducted the evaluation from February to October 2014, at 24 Department locations under\nthe responsibility of the Under Secretary for Nuclear Security, Under Secretary for Science and\nEnergy and the Under Secretary for Management and Performance. The focus of our evaluation\nwas the Department\'s unclassified cybersecurity program. This work involved a limited review\nof general and application controls in areas such as security management, access controls,\nconfiguration management, segregation of duties and contingency planning. Where\nvulnerabilities were identified, the evaluation did not include a determination of whether the\nvulnerabilities were actually exploited. This audit was conducted under the Office of Inspector\nGeneral Project Number A14TG026.\n\nMethodology\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2   Reviewed Federal regulations and Department directives pertaining to information and\n       cybersecurity.\n\n   \xe2\x80\xa2   Reviewed applicable standards and guidance issued by the National Institute of Standards\n       and Technology for the planning and management of system and information security.\n\n   \xe2\x80\xa2   Obtained and analyzed documentation from Department programs and selected sites\n       pertaining to the planning, development, and management of cybersecurity-related\n       functions, such as cybersecurity plans and plans of action and milestones.\n\n   \xe2\x80\xa2   Held discussions with officials from the Department and the National Nuclear Security\n       Administration.\n\n   \xe2\x80\xa2   Assessed controls over network operations and systems to determine the effectiveness\n       related to safeguarding information resources from unauthorized internal and external\n       sources.\n\n   \xe2\x80\xa2   Evaluated selected Headquarters\' offices and field sites in conjunction with the annual\n       audit of the Department\'s Consolidated Financial Statements, utilizing work performed\n       by KPMG, LLP, the Office of Inspector General\'s contract auditor. Office of Inspector\n\n\n\n\nObjective, Scope and Methodology                                                       Page 11\n\x0c                                                                              APPENDIX 1\n       General and KPMG, LLP work included analysis and testing of general and application\n       controls for systems, as well as internal and external vulnerability testing of networks,\n       systems and workstations.\n\n   \xe2\x80\xa2   Evaluated and incorporated the results of other cybersecurity review work performed by\n       the Office of Inspector General, the Government Accountability Office and the Office of\n       Enterprise Assessments\' Office of Cyber and Security Assessments.\n\nWe conducted this evaluation in accordance with generally accepted Government auditing\nstandards. Those standards require that we plan and perform the review to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our objectives. Accordingly, we assessed significant internal controls\nand the Department\'s implementation of the GPRA Modernization Act of 2010 and determined\nthat it had established performance measures for its information and cybersecurity program.\nBecause our review was limited, it would not have necessarily disclosed all internal control\ndeficiencies that may have existed at the time of our evaluation. We did not solely rely on\ncomputer-processed data to satisfy our objective. However, computer-assisted audit tools were\nused to perform scans of various networks and drives. We validated the results of the scans by\nconfirming the weaknesses disclosed with responsible on-site personnel and performed other\nprocedures to satisfy ourselves as to the reliability and competence of the data produced by the\ntests.\n\nAn exit conference was held with management on October 22, 2014.\n\n\n\n\nObjective, Scope and Methodology                                                         Page 12\n\x0c                                                                             APPENDIX 2\n\n                                 RELATED REPORTS\nOffice of Inspector General\n\n   \xe2\x80\xa2   Audit Report on The Department of Energy\'s Implementation of Voice over Internet\n       Protocol Telecommunications Networks (DOE/IG-0915, June 2014). Our review\n       identified opportunities to improve the efficiency and enhance cybersecurity of the\n       Department of Energy\'s (Department) Voice over Internet Protocol (VoIP) networks. In\n       particular, we found that programs and sites had not always applied required\n       cybersecurity controls to VoIP networks, thus increasing the risk of compromise. The\n       issues identified occurred, in part, because the Department had not adequately monitored\n       the implementation of cybersecurity controls for VoIP systems. Without improvements,\n       the duplicative and fragmented VoIP implementation approach that we identified could\n       continue unabated and result in additional, unnecessary expenditures of resources at\n       programs and/or sites that have not yet upgraded to VoIP systems.\n\n   \xe2\x80\xa2   Special Report on the Office of Energy Efficiency and Renewable Energy\'s Integrated\n       Resource and Information System (DOE/IG-0905, April 2014). Our review largely\n       substantiated the allegations received related to contract and project management. We\n       discovered that the Office of Energy Efficiency and Renewable Energy (EERE) had not\n       effectively managed the development and implementation of the Integrated Resource and\n       Information System (IRIS). In particular, EERE failed to follow the Department\'s\n       structured capital planning and investment control process and had not provided effective\n       monitoring of the project. In addition, EERE had not implemented key cybersecurity\n       controls designed to protect IRIS and the network on which it resided. Without a well-\n       defined project planning and execution process that includes baselines and deliverables,\n       EERE could not ensure that significant funds spent on IRIS and other future information\n       technology projects were used in a cost effective manner.\n\n   \xe2\x80\xa2   Special Report on The Department of Energy\'s July 2013 Cyber Security Breach\n       (DOE/IG-0900, December 2013). In spite of a number of early warning signs that certain\n       personnel-related information systems were at risk, the Department had not taken action\n       necessary to protect the personally identifiable information of a large number of its past\n       and present employees, their dependents, and many contractors. We concluded that the\n       July 2013 incident resulted in the exfiltration of a variety of personally identifiable\n       information on over 104,000 individuals. Our review identified a number of technical\n       and management issues that contributed to an environment in which this breach was\n       possible. Compliance and technical problems included the frequent use of complete\n       social security numbers as identifiers, permitting direct internet access to a highly\n       sensitive system without adequate security controls, lack of assurance that required\n       security planning and testing activities were conducted, and failure to assign the\n       appropriate level of urgency to replace end-of-life systems. We also identified numerous\n       contributing factors related to inadequate management processes. These issues created an\n       environment in which the cybersecurity weaknesses we observed could go undetected\n       and/or uncorrected. While we did not identify a single point of failure that led to the\n\n\n\nRelated Reports                                                                        Page 13\n\x0c                                                                              APPENDIX 2\n       breach, the combination of the technical and managerial problems we observed set the\n       stage for individuals with malicious intent to access the system with what appeared to be\n       relative ease.\n\n   \xe2\x80\xa2   Special Report on Management Challenges at the Department of Energy \xe2\x80\x93 Fiscal Year\n       2014 (DOE/IG-0899, November 2013). Based on the work performed during Fiscal Year\n       2013, the Office of Inspector General identified eight areas, including cybersecurity,\n       which remained a management challenge for the Department in Fiscal Year 2014.\n\n   \xe2\x80\xa2   Evaluation Report on The Department of Energy\'s Unclassified Cyber Security Program\n       \xe2\x80\x93 2013 (DOE/IG-0897, October 2013). The Department had taken a number of positive\n       steps over the past year to correct cybersecurity weaknesses related to its unclassified\n       information systems. In spite of these efforts, we found that significant weaknesses and\n       associated vulnerabilities continued to expose the Department\'s unclassified information\n       systems to a higher than necessary risk of compromise. Our testing revealed various\n       weaknesses related to security reporting, access controls, patch management, system\n       integrity, configuration management, segregation of duties and security management. In\n       total, we discovered 29 new weaknesses and confirmed that 10 weaknesses from the prior\n       year\'s review had not been resolved. The weaknesses we identified occurred, in part,\n       because Department elements had not ensured that policies and procedures were fully\n       developed and implemented to meet all necessary cybersecurity requirements. In\n       addition, the Department continued to operate a less than fully effective performance\n       monitoring and risk management program. Absent improvements to its unclassified\n       cybersecurity program, the Department\'s information and systems will continue to be at a\n       higher than necessary risk of compromise.\n\n   \xe2\x80\xa2   Audit Report on Management of Naval Reactors\' Cyber Security Program (DOE/IG-\n       0884, April 2013). Although the Naval Reactors Program had made a number of\n       enhancements to its cybersecurity program over the past year, we identified weaknesses\n       related to vulnerability management, access controls, incident response and security\n       awareness training that could negatively affect its security posture. The weaknesses\n       identified occurred, in part, because officials had not ensured that necessary cybersecurity\n       controls were fully implemented. Specifically, they had not fully developed and/or\n       implemented policies and procedures related to vulnerability management, access\n       controls, incident response and cybersecurity training. In addition, the Naval Reactors\n       Program had not always effectively utilized plans of action and milestones to track,\n       prioritize, and remediate cybersecurity weaknesses.\n\n   \xe2\x80\xa2   Audit Report on Management of Los Alamos National Laboratory\'s Cyber Security\n       Program (DOE/IG-0880, February 2013). Los Alamos National Laboratory (LANL) had\n       taken steps to address concerns regarding its cybersecurity program raised in prior\n       evaluations. However, we identified continuing concerns related to LANL\'s\n       implementation of risk management, system security testing and vulnerability\n       management practices. The issues identified occurred, in part, because of a lack of\n       effective monitoring and oversight of LANL\'s cybersecurity program by the Los Alamos\n       Site Office, including approval of practices that were less rigorous than those required by\n\n\nRelated Reports                                                                          Page 14\n\x0c                                                                               APPENDIX 2\n       Federal directives. In addition, we found that LANL\'s Information Technology\n       Directorate had not followed National Nuclear Security Administration policies and\n       guidance for assessing system risk and had not fully implemented the Laboratory\'s own\n       policy related to ensuring that scanning was conducted to identify and mitigate security\n       vulnerabilities in a timely manner.\n\n   \xe2\x80\xa2   Audit Report on Follow-up Audit of the Department\'s Cyber Security Incident\n       Management Program (DOE/IG-0878, December 2012). Although certain actions had\n       been taken in response to our prior audit report, we identified several issues that limited\n       the efficiency and effectiveness of the Department\'s cybersecurity incident management\n       program and adversely impacted the ability of law enforcement to investigate\n       incidents. The issues identified were due, in part, to the lack of a unified, Department-\n       wide cybersecurity incident management strategy. In addition, changes to the\n       Department\'s Incident Management Program policy and guidance may have adversely\n       impacted overall incident management and response by law enforcement and\n       counterintelligence officials. Also, we found that incident reporting to law enforcement\n       was not always timely or complete, which hindered investigations into events. In the\n       absence of an effective enterprise-wide cybersecurity incident management program, a\n       decentralized and fragmented approach had evolved that placed the Department\'s\n       information systems and networks at increased risk.\n\n   \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2012\n       (DOE/IG-0877, November 2012). The Department had taken steps over the past year to\n       address previously identified cybersecurity weaknesses and enhance its unclassified\n       cybersecurity programs. The overall number of identified vulnerabilities decreased from\n       56 weaknesses in the prior year\'s evaluation to 38 in 2012. Although the number of\n       vulnerabilities identified was reduced, the types and severity of weaknesses continued to\n       persist and remained consistent with prior years. The weaknesses involved problems\n       with access controls, vulnerability management, integrity of Web applications, planning\n       for continuity of operations and change control management. The weaknesses identified\n       occurred, in part, because Department elements had not ensured that cybersecurity\n       requirements were fully developed and implemented. In addition, programs and sites had\n       not always effectively monitored performance to ensure that appropriate controls were in\n       place.\n\n   \xe2\x80\xa2   Audit Report on Management of Western Area Power Administration\'s Cyber Security\n       Program (DOE/IG-0873, October 2012). The Western Area Power Administration had\n       made a number of enhancements to its cybersecurity program since our prior review.\n       However, several weaknesses related to vulnerability management and security controls\n       existed that could negatively impact its cybersecurity posture. Specifically, Western\n       Area Power Administration had not always implemented cybersecurity controls designed\n       to address known system vulnerabilities and ensured that access controls designed to\n       protect its information systems and data were in place. The weaknesses identified\n       occurred, in part, because Western Area Power Administration had not always\n       implemented policies and procedures related to vulnerability and patch management.\n\n\n\n\nRelated Reports                                                                           Page 15\n\x0c                                                                       APPENDIX 2\n\nGovernment Accountability Office\n\n   \xe2\x80\xa2   Report on INFORMATION SECURITY: Federal Agencies Need to Enhance Responses\n       to Data Breaches (GAO-14-487T, April 2014).\n\n   \xe2\x80\xa2   Report on INFORMATION SECURITY: Agencies Need to Improve Cyber Incident\n       Response Practices (GAO-14-354, April 2014).\n\n   \xe2\x80\xa2   Report on FEDERAL INFORMATION SECURITY: Mixed Progress in Implementing\n       Program Components; Improved Metrics Needed to Measure Effectiveness (GAO-13-\n       776, September 2013).\n\n   \xe2\x80\xa2   Report on CYBERSECURITY: A Better Defined and Implemented National Strategy Is\n       Needed to Address Persistent Challenges (GAO-13-462T, March 2013).\n\n   \xe2\x80\xa2   Report on HIGH-RISK SERIES: An Update (GAO-13-283 and GAO-13-359T, February\n       2013).\n\n   \xe2\x80\xa2   Report on CYBERSECURITY: National Strategy, Roles, and Responsibilities Need to Be\n       Better Defined and More Effectively Implemented (GAO-13-187, February 2013).\n\n\n\n\nRelated Reports                                                                  Page 16\n\x0c                                            APPENDIX 3\n\n                      MANAGEMENT COMMENTS\n\n\n\n\nManagement Comments                              Page 17\n\x0c                      APPENDIX 3\n\n\n\n\nManagement Comments        Page 18\n\x0c                      APPENDIX 3\n\n\n\n\nManagement Comments        Page 19\n\x0c                                        FEEDBACK\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We aim to make our reports as responsive as possible and ask you to consider sharing\nyour thoughts with us.\n\nPlease send your comments, suggestions and feedback to OIGReports@hq.doe.gov and include\nyour name, contact information and the report number. Comments may also be mailed to:\n\n                              Office of Inspector General (IG-12)\n                                     Department of Energy\n                                    Washington, DC 20585\n\nIf you want to discuss this report or your comments with a member of the Office of Inspector\nGeneral staff, please contact our office at (202) 253-2162.\n\x0c'